Win32/FakeScanti is a rogue that claims to scan for malware and displays fake warnings of "malicious programs and viruses". It tells you that you need to pay to register this fake program and remove the non-existent threats. Win32/FakeScanti variants have been observed to use names like:

  • AKM Antivirus Pro
  • AV Guard Online
  • BlueFlare Antivirus
  • Guard Online
  • Milestone Antivirus
  • Open Cloud AV
  • OpenCloud Antivirus
  • Security Guard 2012
  • Sysinternals Antivirus
  • Windows Antivirus Pro
  • Windows Police Pro
  • XJR Antivirus
  • Your PC Protector

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior


Win32/FakeScanti is typically downloaded and installed by an installer component, also detected as Win32/FakeScanti. This downloads a self-extracting archive to somewhere in your PC like:

It extracts the files into your PC. The installer component that runs one of the extracted files to run Win32/FakeScanti:

Note that some of the extracted files might include clean Microsoft DLL files, which this threat needs to run properly.

The installer also adds a shortcut to the Start menu, and a desktop shortcut that might like the following:

Once the installer has completed, it deletes itself.

When first run, Win32/FakeScanti extracts files to the %ProgramFiles% folder, with names like the following:

  • alggui.exe
  • adc32.dll or adc_w32.dll
  • svchost.exe

  • conhost.exe
  • csrss.exe
  • shk_v10.dll

Earlier variants extract their files as any of these files in your PC:

They would then drop thes files into the same folder in which it had extracted files earlier:

  • wf.conf
  • OpenCloud Antivirus.ico

It might periodically rewrite some of these files to prevent them from being removed.

It also writes a self-extracting archive to a file like %ProgramFiles%\<product name>\tmp\dbsinit.exe. The contents of the file are extracted and moved to one of these folders:

The extracted file consist of an HTML file and a number of image files, which are used to create an image of a fake Security Center window (see Payload below). The HTML file and archive might be detected as Win32\FakeScanti.

This threat might also write configuration information to the following files:

Earlier versions might use these file names:


Displays fake antivirus scanner

When run, the malware dos a fake scan of the system, and falsely claims that files in your PC are infected with malware. If you want to remove these fake threats, it says, you need to register your program and pay them money.

When a fake scan "finishes", this threat displays a message like this:

Trying to repair the files will result in the display of dialog boxes like these:

You might see this dialog box if scanning is interrupted:

If you don't want to activate the product, it shows you this:

If you start the activation process, it displays a page with this banner:

Shows fake Windows Security Center

This threat periodically displays a window that's intended to imitate the Windows Security Center. Clicking on any of the links in this window causes the fake scanner to be re-launched:

Prevents other files from running

If you try to run other applications, this threat tries to prevent this from happening. It displays a message box with the following message:

It does this by adding a registry entry like the following:

In subkey: HKLM\SOFTWARE\Classes\exefile\shell\open\command
Sets value: "(default)"
With data: "%ProgramFiles%\alggui.exe "%1" %*"

This associates files with an EXE extension with the FakeScanti component alggui.exe. Whenever you try to run an executable file, alggui.exe is run instead, with the name of the executable passed to it as a command line parameter.

This threat then checks this parameter to decide whether to let the program to run. It will then either launch the requested program, or block it. If it decides to block it, it displays a message box similar to that shown above. One sample viewed at the time of publication blocked running all executables excpet those with file names containing these strings:

  • Sysinternals Antivirus.exe
  • iexplore.exe
  • dbsinit.exe
  • av_remove.exe
  • lib32_
  • 2945
  • exe.exe
  • 272-new.exe
  • 01.exe
  • word.exe
  • server.exe
  • 423ewq3.exe

Note: No programs are blocked unless the malware's scanner window is open.

Displays pop-ups

This threat might periodically display a pop-up balloon like these, which suggest that your PC is being attacked:

It might also display pop-up balloons from the system tray, like the following:

Clicking on any of these causes the fake scanner to be re-launched. It might also periodically display pop-ups like these:

Changes desktop background

At some time after they are first launched, earlier versions of the malware add the following text to your desktop background:

Such infection will cause permanent loss of all information stored on your PC: documents, files, etc.
All your secret data like logins, passwords, credit card information can be accessed by third-parties for malicious purposes.
All your online activities like sending e-mails, visiting web-sites are logged and stored on your hard disk.
Spyware blocks the deletion of such information from your PC and makes your online actions traceable.

The threat does this by changing the file %APPDATA%\Microsoft\Internet Explorer\Desktop.htt, using the contents of files earlier written to <system folder>\onhelp.htm and <system folder>\sonhelp.htm.

Displays fake error messages

This threat periodically displays the following dialog box, which tries to pass itself off as a Windows system error message:

If the user clicks the Fix it button, the fake scanner is re-launched. The other buttons do not appear to have any effect.

Reboots PC

This threat occasionally reboots your PC.

Blocks access to websites

This threat might display the following pop-up and block access to websites you're trying to visit. It might show the following fake dialog box, to try to convince you that you're visiting a malicious website and that you need to take the recommended action:

Stops security programs

It might try to stop and/or uninstall security software from the following companies:

  • Microsoft (Windows Defender/Security Essentials)
  • Norton
  • Avira
  • AVG
  • E-Set
  • DrWeb
  • Kaspersky
  • Bitdefender
  • McAfee

Analysis by David Wood


The following could indicate that you have this threat on your PC:

  • You have these files:
  • You can't go to certain websites:
  • You can't run programs, especially security ones:
  • You see these icons or programs on your desktop, in the Start menu or Start screen, or on your taskbar:


Alert level: Severe
This entry was first published on: Aug 17, 2010
This entry was updated on: Mar 24, 2014

This threat is also detected as:
  • OpenCloud Antivirus (other)
  • OpenCloud Security (other)
  • FakeAlert-GA.dll (McAfee)
  • Win32/WindowsAntivirusPro.F (CA)
  • Adware/WindowsAntivirusPro (Panda)
  • Trojan.Fakeavalert (Symantec)
  • AKM Antivirus 2010 (other)
  • BlueFlare Antivirus (other)
  • Milestone Antivirus (other)
  • PC Protector (other)
  • Sysinternals Antivirus (other)
  • Trojan:Win32/FakeScanti (other)
  • TrojanDownloader:Win32/FakeScanti (other)
  • Windows Antivirus Pro (other)
  • Windows Police Pro (other)
  • Wireshark Antivirus (other)
  • Wolfram Antivirus (other)
  • Your PC Protector (other)
  • Open Cloud AV (other)
  • Security Guard 2012 (other)
  • AV Guard Online (other)
  • Guard Online (other)
  • AV Protection Online (other)
  • Cloud Protection (other)
  • System Security 2011 (other)
  • System Security 2012 (other)
  • AV Security 2012 (other)
  • AV Protection 2011 (other)
  • Cloud AV 2012 (other)